Merge branch 'any-mac'

agdsn · Nov 1, 2020 · 46a12bc · 46a12bc
2 parents 25861b7 + e1c0126
commit 46a12bc
Show file tree

Hide file tree

Showing 4 changed files with 56 additions and 17 deletions.
diff --git a/templates/freeradius/mods-config/sql/main/postgresql/queries.conf b/templates/freeradius/mods-config/sql/main/postgresql/queries.conf
@@ -117,15 +117,15 @@ client_query = "\
 authorize_check_query = "\
 	SELECT \"Priority\", \"UserName\", \"Attribute\", \"Value\", \"Op\" \
 	FROM ${authcheck_table} \
-	WHERE \"UserName\" = '%{SQL-User-Name}' \
+	WHERE (\"UserName\" = '%{SQL-User-Name}') IS NOT FALSE \
 	AND ((\"NASIPAddress\" = '%{NAS-IP-Address}') IS NOT FALSE) \
 	AND ((\"NASPortId\" = '%{%{NAS-Port-ID}:-%{NAS-Port}}') IS NOT FALSE) \
 	ORDER BY \"Priority\", \"NASIPAddress\" NULLS LAST, \"NASPortId\" NULLS LAST"
 
 authorize_reply_query = "\
 	SELECT \"Priority\", \"UserName\", \"Attribute\", \"Value\", \"Op\" \
 	FROM ${authreply_table} \
-	WHERE \"UserName\" = '%{SQL-User-Name}' \
+	WHERE (\"UserName\" = '%{SQL-User-Name}') IS NOT FALSE \
 	AND ((\"NASIPAddress\" = '%{NAS-IP-Address}') IS NOT FALSE) \
 	AND ((\"NASPortId\" = '%{%{NAS-Port-ID}:-%{NAS-Port}}') IS NOT FALSE) \
 	ORDER BY \"Priority\", \"NASIPAddress\" NULLS LAST, \"NASPortId\" NULLS LAST"
@@ -205,7 +205,7 @@ authorize_group_reply_query = "\
 group_membership_query = "\
 	SELECT \"GroupName\" \
 	FROM ${usergroup_table} \
-	WHERE \"UserName\"='%{SQL-User-Name}' \
+	WHERE (\"UserName\"='%{SQL-User-Name}') IS NOT FALSE \
 	AND ((\"NASIPAddress\" = '%{NAS-IP-Address}') IS NOT FALSE) \
 	AND ((\"NASPortId\" = '%{%{NAS-Port-ID}:-%{NAS-Port}}') IS NOT FALSE) \
 	ORDER BY \"Priority\", \"NASIPAddress\" NULLS LAST, \"NASPortId\" NULLS LAST"

diff --git a/templates/schema.sql.j2 b/templates/schema.sql.j2
@@ -325,7 +325,7 @@ ALTER FOREIGN TABLE foreign_nas OWNER TO "{{ constants.DATABASE_USER }}";
 
 CREATE FOREIGN TABLE foreign_radcheck (
     "Priority" integer /* NOT NULL */,
-    "UserName" text  /* NOT NULL */,
+    "UserName" text,
     {% if HADES_POSTGRESQL_FOREIGN_TABLE_RADCHECK_NASIPADDRESS_STRING %}
     "NASIPAddress" text,
     {% else %}
@@ -388,7 +388,7 @@ ALTER FOREIGN TABLE foreign_radgroupreply OWNER TO "{{ constants.DATABASE_USER }
 
 CREATE FOREIGN TABLE foreign_radreply (
     "Priority" integer /* NOT NULL */,
-    "UserName" text /* NOT NULL */,
+    "UserName" text,
     {% if HADES_POSTGRESQL_FOREIGN_TABLE_RADREPLY_NASIPADDRESS_STRING %}
     "NASIPAddress" text,
     {% else %}
@@ -412,7 +412,7 @@ ALTER FOREIGN TABLE foreign_radreply OWNER TO "{{ constants.DATABASE_USER }}";
 --
 
 CREATE FOREIGN TABLE foreign_radusergroup (
-    "UserName" text /* NOT NULL */,
+    "UserName" text,
     {% if HADES_POSTGRESQL_FOREIGN_TABLE_RADUSERGROUP_NASIPADDRESS_STRING %}
     "NASIPAddress" text,
     {% else %}
@@ -542,8 +542,7 @@ CREATE MATERIALIZED VIEW radcheck AS
     foreign_radcheck."Op",
     foreign_radcheck."Value"
    FROM foreign_radcheck
-  WHERE ((foreign_radcheck."UserName" IS NOT NULL)
-    AND (foreign_radcheck."Attribute" IS NOT NULL)
+  WHERE ((foreign_radcheck."Attribute" IS NOT NULL)
     AND (foreign_radcheck."Op" IS NOT NULL)
     AND (foreign_radcheck."Value" IS NOT NULL))
   WINDOW w AS (PARTITION BY foreign_radcheck."UserName", foreign_radcheck."NASIPAddress", foreign_radcheck."NASPortId" ORDER BY foreign_radcheck."Priority")
@@ -600,7 +599,7 @@ ALTER TABLE radgroupreply OWNER TO "{{ constants.DATABASE_USER }}";
 
 CREATE TABLE radpostauth (
     "Id" bigint NOT NULL,
-    "UserName" text NOT NULL,
+    "UserName" text,
     "NASIPAddress" inet NOT NULL,
     "NASPortId" text,
     "PacketType" text NOT NULL,
@@ -652,8 +651,7 @@ CREATE MATERIALIZED VIEW radreply AS
     foreign_radreply."Op",
     foreign_radreply."Value"
    FROM foreign_radreply
-  WHERE ((foreign_radreply."UserName" IS NOT NULL)
-   AND (foreign_radreply."Attribute" IS NOT NULL)
+  WHERE ((foreign_radreply."Attribute" IS NOT NULL)
    AND (foreign_radreply."Op" IS NOT NULL)
    AND (foreign_radreply."Value" IS NOT NULL))
   WINDOW w AS (PARTITION BY foreign_radreply."UserName", foreign_radreply."NASIPAddress", foreign_radreply."NASPortId" ORDER BY foreign_radreply."Priority")
@@ -677,8 +675,7 @@ CREATE MATERIALIZED VIEW radusergroup AS
     foreign_radusergroup."GroupName",
     row_number() OVER w AS "Priority"
    FROM foreign_radusergroup
-  WHERE ((foreign_radusergroup."UserName" IS NOT NULL)
-   AND (foreign_radusergroup."GroupName" IS NOT NULL))
+  WHERE ((foreign_radusergroup."GroupName" IS NOT NULL))
   WINDOW w AS (PARTITION BY foreign_radusergroup."UserName", foreign_radusergroup."NASIPAddress", foreign_radusergroup."NASPortId" ORDER BY foreign_radusergroup."Priority")
   WITH DATA;
 

diff --git a/templates/schema_fdw.sql.j2 b/templates/schema_fdw.sql.j2
@@ -91,7 +91,7 @@ ALTER TABLE nas OWNER TO "{{ constants.DATABASE_USER }}";
 
 CREATE TABLE radcheck (
     "Priority" integer NOT NULL,
-    "UserName" text NOT NULL,
+    "UserName" text,
     {% if HADES_POSTGRESQL_FOREIGN_TABLE_RADCHECK_NASIPADDRESS_STRING %}
     "NASIPAddress" text,
     {% else %}
@@ -142,7 +142,7 @@ ALTER TABLE radgroupreply OWNER TO "{{ constants.DATABASE_USER }}";
 
 CREATE TABLE radreply (
     "Priority" integer NOT NULL,
-    "UserName" text NOT NULL,
+    "UserName" text,
     {% if HADES_POSTGRESQL_FOREIGN_TABLE_RADREPLY_NASIPADDRESS_STRING %}
     "NASIPAddress" text,
     {% else %}
@@ -162,7 +162,7 @@ ALTER TABLE radreply OWNER TO "{{ constants.DATABASE_USER }}";
 --
 
 CREATE TABLE radusergroup (
-    "UserName" text NOT NULL,
+    "UserName" text,
     {% if HADES_POSTGRESQL_FOREIGN_TABLE_RADUSERGROUP_NASIPADDRESS_STRING %}
     "NASIPAddress" text,
     {% else %}

diff --git a/tests/test-radius.bats b/tests/test-radius.bats
@@ -13,16 +13,20 @@ readonly known_user_mac=40-61-86-1c-df-fd
 readonly unknown_user_mac=1e-a7-de-ad-be-ef
 readonly known_vlan_name=1KnownVLAN
 readonly unknown_vlan_name=1UnknownVLAN
+readonly known_user_port_id=K1
+readonly unknown_user_port_id=U1
 
 setup() {
 	psql foreign <<-EOF
 		INSERT INTO radcheck ("Priority", "NASIPAddress", "NASPortId", "UserName", "Attribute", "Op", "Value")
-		VALUES (1, inet '${nas_ip}', '${nas_port_id}', '$(lowercase $(mac_sextuple ${known_user_mac} :))', 'Calling-Station-Id', '==', '$(lowercase $(mac_sextuple "${nas_mac}" -))');
+		VALUES (1, inet '${nas_ip}', '${nas_port_id}', '$(lowercase $(mac_sextuple ${known_user_mac} :))', 'Calling-Station-Id', '==', '$(lowercase $(mac_sextuple "${nas_mac}" -))'),
+		(1, inet '${nas_ip}', '${known_user_port_id}', NULL, 'Calling-Station-Id', '==', '$(lowercase $(mac_sextuple "${nas_mac}" -))');
 		INSERT INTO radreply ("Priority", "NASIPAddress", "NASPortId", "UserName", "Attribute", "Op", "Value")
 		VALUES (1, inet '${nas_ip}', '${nas_port_id}', '$(lowercase $(mac_sextuple ${known_user_mac} :))', 'Reply-Message', '+=', 'radreply test'),
 		(1, NULL, NULL, 'unknown', 'Reply-Message', '+=', 'radreply unknown');
 		INSERT INTO radusergroup ("Priority", "NASIPAddress", "NASPortId", "UserName", "GroupName")
 		VALUES (1, inet '${nas_ip}', '${nas_port_id}', '$(lowercase $(mac_sextuple ${known_user_mac} :))', 'test'),
+		(1, inet '${nas_ip}', '${known_user_port_id}', NULL, 'test'),
 		(1, NULL, NULL, 'unknown', 'unknown');
 		INSERT INTO radgroupreply ("Priority", "GroupName", "Attribute", "Op", "Value")
 		VALUES (1, 'test', 'Egress-VLAN-Name', '+=', '${known_vlan_name}'),
@@ -140,6 +144,44 @@ do_request() {
 	do_request "$(declare -p request)" "$(declare -p filter)"
 }
 
+@test "check that any user at a known port authenticates via CHAP correctly" {
+	declare -Ar request=(
+		[Packet-Type]=Access-Request
+		[Service-Type]=Call-Check
+		[Framed-Protocol]=PPP
+		[User-Name]="${unknown_user_mac}"
+		[Calling-Station-Id]="${unknown_user_mac}"
+		[CHAP-Password]="${unknown_user_mac}"
+	        [NAS-Port-Id]="\"${known_user_port_id}\""
+	)
+	declare -Ar filter=(
+		[Packet-Type]=Access-Accept
+		[Egress-VLAN-Name]="\"${known_vlan_name}\""
+		[Reply-Message]="\"radreply test\""
+		[Reply-Message]="\"radgroupreply test\""
+	)
+	do_request "$(declare -p request)" "$(declare -p filter)"
+}
+
+@test "check that any user at an unkown port authenticates via CHAP correctly" {
+	declare -Ar request=(
+		[Packet-Type]=Access-Request
+		[Service-Type]=Call-Check
+		[Framed-Protocol]=PPP
+		[User-Name]="${unknown_user_mac}"
+		[Calling-Station-Id]="${unknown_user_mac}"
+		[CHAP-Password]="${unknown_user_mac}"
+	        [NAS-Port-Id]="\"${unknown_user_port_id}\""
+	)
+	declare -Ar filter=(
+		[Packet-Type]=Access-Accept
+		[Egress-VLAN-Name]="\"${unknown_vlan_name}\""
+		[Reply-Message]="\"radreply unknown\""
+		[Reply-Message]="\"radgroupreply unknown\""
+	)
+	do_request "$(declare -p request)" "$(declare -p filter)"
+}
+
 @test "check that accounting works" {
 	local -r session_id=$(printf '%4x' ${RANDOM})
 	declare -Ar request_template=(